[00:21.540 --> 00:28.260]  Hi, I'm Bryson Bort, and thank you for joining us today with the Election Security Panel with the Feds.
[00:28.260 --> 00:35.240]  This is a really momentous occasion, bringing this many federal agencies all together on one hand.
[00:35.240 --> 00:40.400]  The timing is perfect. There is a huge election coming up here in the United States in 2020.
[00:40.440 --> 00:42.280]  There are elections happening around the world.
[00:42.280 --> 00:48.400]  And I think that's a key thing for us to understand, is that while this panel is talking about the U.S. federal government,
[00:48.400 --> 00:55.440]  how we are responding to our American election, when we look at the broader forces that are aligned against democracy in the world,
[00:55.940 --> 00:59.940]  that all comes down to trust in the system for the democracy to work.
[01:00.020 --> 01:02.980]  And those forces are working against places more than the U.S.
[01:02.980 --> 01:06.080]  And so while this is going to be the U.S. government discussing this,
[01:06.080 --> 01:11.580]  I think citizens all over the world and hackers all over the world will be able to take something away from that.
[01:12.360 --> 01:17.660]  Just quick logistics. Q&A will be available through the DEF CON Discord.
[01:17.660 --> 01:21.880]  So if you put your questions in the Voting Village DEF CON Discord,
[01:21.880 --> 01:28.120]  those will make it their way up here to me on the stage and we will answer them as best as we can.
[01:28.120 --> 01:30.380]  Starting off, we have Cynthia Kaiser.
[01:30.800 --> 01:36.640]  Hello, I'm Cynthia Kaiser. I'm an assistant section chief with the FBI Cyber Division.
[01:36.640 --> 01:43.640]  And what that really means is I lead analysis among multiple threat groups for the FBI.
[01:43.640 --> 01:49.260]  That includes election threats, mostly in the cyber arena.
[01:49.340 --> 01:55.400]  And that's by design. I saw what happened in 2016 and I knew that there was nowhere else I wanted to be.
[01:55.400 --> 01:58.140]  And then working this threat as we came into 2020.
[01:58.180 --> 02:02.680]  And I'm really excited to be here with people that I get to see all the time anyways.
[02:03.320 --> 02:10.220]  And so for the FBI in the election space, a good way to think about it is that we're really focused on the threat.
[02:10.220 --> 02:16.700]  So we work hand in hand with our DHS counterparts and they're really focused on the risk to the systems,
[02:16.700 --> 02:18.320]  the remuneration on those systems.
[02:18.320 --> 02:25.280]  But when it comes to the threat response of incidents or looking at investigations into malign foreign influence
[02:25.280 --> 02:32.360]  or investigations into election crimes like ballot fraud, that's where the FBI really plays in the space.
[02:33.360 --> 02:37.940]  David Mordino from the National Security Agency. It's great to be with you here today.
[02:37.940 --> 02:44.980]  I'm an NSA election security lead. Most of you are familiar with NSA's mission, really divided up into two components.
[02:44.980 --> 02:50.120]  Our foreign signals intelligence mission, which is all about figuring out what the adversaries are up to.
[02:50.120 --> 02:56.020]  And then we have the cybersecurity component, which is all about preventing and eradicating threats to national security systems
[02:56.020 --> 03:00.220]  and figuring out how we can protect DOD networks and the like.
[03:00.420 --> 03:04.560]  Really a lot of power from NSA comes with combining those missions.
[03:04.560 --> 03:08.960]  Knowing what the threat is and combining that with a technical analysis and mitigations
[03:08.960 --> 03:13.100]  in order for us to be able to deploy those into unclassified space.
[03:13.260 --> 03:20.820]  From an election security standpoint, I oversee all the activities and partnerships that NSA has on election security.
[03:20.820 --> 03:25.700]  I also co-lead something called the Election Security Group, along with Brigadier General Hartman here,
[03:25.700 --> 03:33.180]  which we'll get into, I'm sure, on the panel. And that's a joint NSA Cyber Command Task Force for protecting the elections.
[03:33.180 --> 03:38.320]  A little bit about me. I grew up in Chicago. That's what I'm representing here in the Comiskey Park shirt, no white socks.
[03:38.700 --> 03:45.580]  And I'm also into craft cocktails. I supplied, in the typical DEF CON tradition, a cocktail of Black Manhattan for everybody.
[03:45.720 --> 03:51.140]  And I'd like to give a shout out to Johnny and Carl for hosting me at Cocktail Con this Tuesday.
[03:51.140 --> 03:57.580]  Really great event and a community in terms of getting the InfoSec community together to talk about cocktails, talk about security.
[03:57.580 --> 04:02.120]  So I appreciate it. I appreciate DEF CON folks for having us here today.
[04:03.420 --> 04:09.560]  Hey, I'm Joe Hartman. I command the Cyber National Mission Force, so part of U.S. Cyber Command.
[04:09.560 --> 04:13.700]  As Dave said, I co-lead the Election Security Group with him.
[04:13.860 --> 04:21.980]  And, you know, the Election Security Group is really partnered with all the agencies you see represented here and others in defense of the 2020 election.
[04:21.980 --> 04:25.220]  We're the part of the U.S. government that focuses on the away game.
[04:25.220 --> 04:33.220]  So we are looking at foreign adversaries, Russia, China, Iran, any other foreign adversary who's attempting to interfere with our elections.
[04:33.540 --> 04:44.580]  We're looking for them in foreign space, and we're partnering with DHS and FBI in order to ensure that we share information that we find abroad that makes us safer here in the United States.
[04:44.580 --> 04:47.160]  I'm really glad to be here today and looking forward to your questions.
[04:47.880 --> 04:53.780]  My name is Maurice Turner. I'm Senior Advisor for the Executive Director at the U.S. Election Assistance Commission.
[04:53.780 --> 04:59.520]  We're a relatively small agency compared to the ones you've heard from earlier today, but our mission is focused.
[04:59.520 --> 05:06.820]  We help make sure that Americans all across the country and all across the world have the ability to participate in elections,
[05:06.820 --> 05:13.660]  whether they're going to be in any one of the 50 states, six territories, or stationed overseas.
[05:13.660 --> 05:23.380]  So our focus is really, how do we make sure that those voters have access to the polls and that they can vote safely, securely, and make sure that their vote counts?
[05:27.060 --> 05:32.420]  And I'm Matt Masterson. I'm the designated survivor that was held back from the federal panel.
[05:32.420 --> 05:38.440]  So if anything happens, we can maintain federal continuity of operations on election security.
[05:38.440 --> 05:42.740]  I'm in a secret skiff out in the Midwest somewhere.
[05:42.740 --> 05:47.820]  I appreciate the voting village for inviting me and the feds to participate.
[05:47.820 --> 05:51.440]  So thankful to Bryson for organizing.
[05:51.440 --> 05:58.060]  And I know we're going to address the question of what's the greatest area of progress since 2016, where have we improved?
[05:58.060 --> 06:09.460]  I mean, the fact that you have a unified federal effort working to help support state and local election officials on this mission space, I think, speaks volumes.
[06:09.460 --> 06:16.020]  I work for the Cybersecurity and Infrastructure Security Agency, or CISA. I'm the election security lead there.
[06:16.020 --> 06:19.700]  Prior to that, I was a commissioner at the EAC, where Maurice now sits.
[06:19.960 --> 06:22.640]  And before that, I was an election official in the state of Ohio.
[06:22.640 --> 06:30.640]  So come from an election administration background, have had to learn the intricacies of both CISA and the IC.
[06:30.640 --> 06:48.600]  And I'm so thankful to everyone sitting up on that stage for their patience with me and working with me and CISA to make sure we're supporting the almost 8,800 state and local election officials across this country, let alone the private sector that we work very closely with and members of academia and nonpartisan organization.
[06:48.600 --> 07:03.820]  Our focus at CISA is to get information, support, services, everything from penetration testing to routine cyber hygiene scans to incident response out to the state and local election officials to help support them and engaging with their voters.
[07:03.820 --> 07:07.720]  The reality is American elections are run at the state and local level.
[07:08.040 --> 07:18.360]  And we want to do everything we can so that those state and local officials can talk to their voters about why the process is secure and why they should have confidence that their vote was counted as cast.
[07:18.360 --> 07:22.900]  So really thankful for this panel and super excited to have this discussion today.
[07:23.520 --> 07:30.400]  Matt, that's a great segue. Trust is key to the infrastructure, right?
[07:30.400 --> 07:45.500]  The process for collecting the votes to determine our democracy starts with that trust and that begins with transparency and accountability, which is why I thought it was so critical to have this panel here for the government to talk about, okay, what's happened and what have we done?
[07:45.500 --> 07:52.040]  So 2016 is when I think this really grew into the consciousness as a significant issue that everybody understood.
[07:52.040 --> 07:55.540]  What exactly happened in 2016 and 2018?
[07:57.540 --> 08:06.020]  Well, on the cyber side, in 2016, Russia compromised multiple different election networks.
[08:06.020 --> 08:09.500]  That included the state network, that included two counties.
[08:09.500 --> 08:22.700]  And as a part of that, we've assessed that they really sought to at least conduct reconnaissance against all 50 states.
[08:22.700 --> 08:27.000]  To try to figure out where it was most vulnerable and where they could get in.
[08:27.060 --> 08:31.860]  Now, we don't think that had any effect on election. We have no information that that did.
[08:31.860 --> 08:38.140]  And really, where they were focused on, really couldn't have.
[08:38.140 --> 08:43.940]  But within that, it's obviously troubling because that's an attack on our election systems.
[08:43.940 --> 08:45.700]  It's attacking critical infrastructure.
[08:45.700 --> 08:53.700]  And it's something that now, looking at that and moving forward, that's why we partnered with everybody here to focus on,
[08:53.700 --> 08:56.560]  how do we, A, harden the networks so that can't happen?
[08:56.560 --> 09:00.540]  And how do we work to counter adversaries so they don't want to do it?
[09:00.540 --> 09:05.680]  And how do we ensure that we can be as transparent as possible?
[09:05.680 --> 09:14.400]  And that's included some various measures like both FBI and CISA will now tell a chief state election official
[09:14.400 --> 09:17.240]  if anything happens on a local election network.
[09:17.480 --> 09:22.520]  That's a change from 2016, and it's a necessary change for the transparency that you noted.
[09:24.300 --> 09:27.940]  Yeah, I mean, I think Cynthia covered the cyber side pretty well.
[09:27.940 --> 09:32.920]  From an influence side, I think most folks are tracking the infamous Internet Research Agency, Troll Farm.
[09:32.920 --> 09:38.400]  So in terms of the social media operations that they were conducting in 2016 and 2018,
[09:39.260 --> 09:44.720]  also hack and leak operations could be very damaging.
[09:44.720 --> 09:52.400]  When we look at it in terms of evolution between 2016, 2018, and 2020,
[09:54.120 --> 10:00.940]  it was mostly focused on Russia in 2016, but we know that the threat is broader than that.
[10:01.100 --> 10:05.320]  For 2020, we're looking at the spectrum of all of our adversaries.
[10:05.320 --> 10:11.820]  Russia, China, Iran, ransomware actors. There's more people in the game.
[10:12.860 --> 10:18.620]  They're learning from each other. Influence is a cheap game to get into now with social media.
[10:18.920 --> 10:25.940]  It doesn't cost a lot of money. You can try to launder your narratives online through different media outlets.
[10:25.940 --> 10:28.500]  So that's something we're laser focused on.
[10:30.220 --> 10:38.480]  For us, in 2016, election security really wasn't a priority mission for the Department of Defense.
[10:38.580 --> 10:43.740]  It just wasn't something that we had previously focused on, heavily involved in other operations.
[10:44.420 --> 10:50.960]  And so while we were focused on other operations, the Russians obviously focused on our elections.
[10:50.960 --> 10:58.680]  We learned from that in 2018, between Cybercom and NSA, we formed what was called the Russia Small Group,
[10:58.680 --> 11:03.180]  really laser focused on Russian interference in the 2018 election.
[11:03.220 --> 11:08.900]  For us, that never stopped. I got back to the command about a year ago in 2019,
[11:08.900 --> 11:13.900]  and we didn't start up this thing called the Election Security Group that was already working.
[11:13.900 --> 11:19.120]  And it never stopped working from 2018, and we think we're in a much better position now,
[11:19.120 --> 11:22.080]  certainly, than we were in 2016 or 2018.
[11:22.900 --> 11:29.580]  The big change from 2016 to 2018 and now into 2020 really started with the critical infrastructure designation
[11:29.580 --> 11:36.900]  that allowed all these federal partners to come together in a way that we'd be able to better protect our election infrastructure.
[11:36.900 --> 11:41.680]  And I think that that really is the key to all of this, which is information sharing,
[11:41.680 --> 11:49.540]  making sure that information is shared amongst agencies, but also to the state and local partners as well.
[11:49.540 --> 11:54.580]  The folks are actually running their own networks, their own infrastructure. And so that's where EAC comes in.
[11:54.580 --> 12:00.260]  We have relationships, we're building those relationships with the state and locals to make sure that they understand the information
[12:00.260 --> 12:05.600]  that's coming to them from their federal partners, and that they realize that they're part of the solution too.
[12:07.520 --> 12:15.380]  It's how this all works. It's not just keeping those information notices in a silo and keeping them at the local level.
[12:15.380 --> 12:19.440]  It's a sharing up and down the stack to make sure that the infrastructure is protected,
[12:19.440 --> 12:24.640]  because it may not just be an attack that happens on a single state or a single county.
[12:24.640 --> 12:31.060]  That might be happening other places. And if we're not sharing information, then the partners don't know that that coordination is going on.
[12:32.200 --> 12:35.880]  Yeah, just to build off on what some of the other panelists have said.
[12:35.880 --> 12:43.540]  For me, the biggest change has really been that level of coordination and support with state and local election officials.
[12:43.540 --> 12:48.380]  As many people know, when the critical infrastructure designation was made in 2017,
[12:48.380 --> 12:53.800]  there was a lot of resistance, understandably, from state and local election officials and skepticism.
[12:54.180 --> 13:00.620]  And we sat there in 2018 and had relationships with all 50 states, had information flowing,
[13:00.620 --> 13:04.560]  we're deploying Albert sensors. We sit here now on the brink of 2020.
[13:04.560 --> 13:10.260]  We not only have Albert sensors, so intrusion detection sensors deployed across networks in all 50 states.
[13:10.280 --> 13:20.380]  We have an ISAC, an information sharing analysis center with close to 3,000 state and local partners receiving information, pushing information back to us.
[13:20.380 --> 13:26.260]  We're now deploying endpoint protection in many of the states and across localities to have additional insight.
[13:26.260 --> 13:32.920]  But really, that ability to coordinate across the federal government and push information back down to the state and locals has improved so much.
[13:33.220 --> 13:42.740]  The federal government, I think, is working in a way around election threat information that I don't know that it did around other issues.
[13:42.740 --> 13:48.480]  We are able now to take information, and state and locals are sharing all kinds of reporting with us,
[13:48.480 --> 13:52.620]  and push it across the interagency, the folks that you see sitting up on the stage here,
[13:52.620 --> 13:56.900]  and then push out alerts and warnings through the ISAC broadly to the community.
[13:56.900 --> 14:06.680]  And that's just a function that wasn't there certainly in 2016 and is really being honed and improved upon from 2018 to 2020, and that broad reach.
[14:06.680 --> 14:11.900]  And so that ability to really work with the election officials to understand risk,
[14:11.900 --> 14:16.900]  our risk understanding is much deeper than it was 2016 or 2018,
[14:16.900 --> 14:23.620]  to the point where as COVID has developed and kind of changed operations within elections offices,
[14:23.620 --> 14:27.520]  we've been able to be responsive and understand where the risk is shifting,
[14:27.520 --> 14:33.480]  and try to help gear our support, our information sharing, to understand that risk shift,
[14:33.480 --> 14:38.080]  so that they can take appropriate steps to mitigate that risk and really ensure the integrity of the election,
[14:38.080 --> 14:39.900]  and then turn around and message it to voters.
[14:39.900 --> 14:43.240]  And I think that's a theme you're going to hear throughout this conversation,
[14:43.240 --> 14:51.500]  really reach in that last step of talking to voters about their options, about how they can vote,
[14:51.500 --> 14:58.460]  about the process and security is really critical in an environment when we know adversaries are trying to undermine confidence in the process.
[14:59.400 --> 15:04.640]  So part of what we've learned, which stems from the problem, and a lot of what the solution has been,
[15:04.640 --> 15:09.480]  has been the designation of this as critical infrastructure, the federal collaboration,
[15:11.280 --> 15:16.580]  where this isn't the first time you're all meeting each other. You all know each other pretty well, right?
[15:16.580 --> 15:23.540]  I was talking to Bryson earlier that I've been on panels before with people from the government who are all working the same issue,
[15:23.540 --> 15:26.180]  and then you're meeting the person right before the panel starts.
[15:26.420 --> 15:29.540]  So when Bryson reached out and said, we're going to have a panel on election security.
[15:29.540 --> 15:32.980]  And I asked, OK, who's going to be on it? And he started to tick it off names.
[15:32.980 --> 15:38.560]  And I'm like, OK, I talk to these people multiple times per week or sometimes every single day or multiple times a day.
[15:38.560 --> 15:45.100]  So it really just shows how deep the collaboration is. I spent a lot of time in counterterrorism.
[15:45.100 --> 15:50.480]  You think that's a mission that, you know, and it is a mission that the government rallies around.
[15:50.480 --> 15:56.140]  But election security, I don't get it out of the water in terms of how much we all talk to each other.
[15:56.780 --> 16:00.900]  Right. I mean, there's no better example than that.
[16:00.900 --> 16:07.140]  This panel is a representation of what's already happening. This panel is not the thing that is driving it.
[16:07.140 --> 16:10.560]  Right. We are capturing a moment in time of what's been accomplished.
[16:10.660 --> 16:16.080]  If we had tried to do this in 2016, we would have been spending the last 30 minutes all shaking each other.
[16:16.080 --> 16:21.540]  So what do you do? What do you do? What exactly is that?
[16:21.940 --> 16:26.580]  Tell us about the Midwest, Matt. Like, we've never heard of these things. Sorry, that's a Chicago thing.
[16:27.660 --> 16:31.600]  OK. And how information sharing isn't just sharing information. Right.
[16:31.600 --> 16:36.280]  But it's the fact that the information is being shared so that missions are being executed.
[16:36.280 --> 16:39.960]  Things are happening with it. Right. Those risks are being assessed.
[16:40.380 --> 16:43.920]  Those actions are being taken. And I really like the way you phrased it, Joe. Right.
[16:43.920 --> 16:47.100]  We're playing the away game. I'll translate that for everybody.
[16:47.100 --> 16:49.560]  Actually, why don't you translate what the away game is?
[16:49.560 --> 16:53.100]  Yeah. So. So let me translate the away game at the end.
[16:53.100 --> 16:56.040]  I mean, if I could just talk about the collaboration, the relationships.
[16:56.120 --> 17:00.100]  You know, a good example is like the rehearsal that we did on Super Tuesday.
[17:00.320 --> 17:04.180]  And so, look, I'm in the Army. I've been in the Army a long time, just like Dave.
[17:04.180 --> 17:10.160]  You know, I spent a lot of time in the CT fight and, you know, a lot of times in panel rooms and places like Afghanistan.
[17:10.160 --> 17:13.420]  And, you know, we operate out of these joint operations centers. Right.
[17:13.460 --> 17:20.360]  And in the joint operations centers, we're sitting in there, as you can imagine, we love flat screen TVs, a lot of flat screen TVs on the wall.
[17:20.360 --> 17:25.540]  And, you know, unmanned aerial vehicles are flying around and other collection assets.
[17:25.600 --> 17:31.420]  All that data is being pumped into the room where you're immediately able to make sense of it and then make decisions.
[17:31.420 --> 17:34.540]  You know, allocating resources, sending forces, doing what.
[17:34.580 --> 17:43.600]  And, you know, Super Tuesday, if you walked into the to the room that we were using as a mission center, you know, you would have seen cybercom personnel.
[17:43.600 --> 17:47.840]  You would have seen NSA personnel and you would have looked in a chat room.
[17:47.840 --> 17:54.040]  And almost every organization that you could imagine involved in the federal government is in a chat room.
[17:54.040 --> 17:57.720]  OK, and they are talking about in almost real time.
[17:57.720 --> 18:08.800]  If something goes on on state election infrastructure in North Carolina, you know, there is an unclassified chat going up to DHS drops it in a classified chat room.
[18:08.800 --> 18:23.400]  You've got analysts from NSA and cybercom and other government agencies immediately combing their databases and then almost instantaneously providing information back that says, hey, this is something you should be concerned about.
[18:23.400 --> 18:26.660]  Or this is just normal traffic that we see on any day on the Internet.
[18:26.660 --> 18:32.480]  It looks anomalous because we're paying a lot more attention to it right now because there's this thing called Super Tuesday going on.
[18:32.480 --> 18:39.940]  You know, at the same time, I've got defensive cyber elements that are sitting in things we call war rooms and they are waiting on a call.
[18:39.960 --> 18:45.340]  You know, if there is something that happens that DHS needs help with, you know, they are trained.
[18:45.520 --> 18:49.500]  They have collaborated in the past and we're ready to kick a team out.
[18:49.500 --> 18:53.400]  Additionally, we have elements that are that are sitting over in other off centers.
[18:53.500 --> 18:59.260]  Okay, and they are prepared if we see an adversary that's attempting to do something to interfere with that election.
[18:59.260 --> 19:02.000]  You know, we have the ability to play the away game.
[19:02.000 --> 19:05.820]  And so we have the ability to go out in foreign space and look at what you're doing.
[19:05.880 --> 19:08.500]  And we have the ability to make you stop doing that.
[19:08.500 --> 19:20.280]  And that's really the focus of what I think the federal government looks like from the local and state level all the way up through the national level to the Department of Defense.
[19:20.280 --> 19:24.840]  And, you know, for me as American, honestly, that was a pretty impressive experience.
[19:25.380 --> 19:33.300]  If I could take a slight turn from that, I think it is important to call out the collaboration that we have in the government.
[19:33.300 --> 19:39.740]  But I think the other evolution that's occurred is the engagement with industry here, right?
[19:39.920 --> 19:44.720]  I'm sure we have a lot of people who are, you know, working for the federal government all that year.
[19:44.720 --> 19:50.820]  And I think that's been a major component of the shift in posture we have for election security.
[19:51.020 --> 19:55.060]  I mean, it's awesome when you're reading about, you know, disinformation networks being pulled out.
[19:55.820 --> 20:03.880]  Obviously, the cybersecurity companies really focused on election threats and trying to hunt down, you know, adversaries and what they're up to.
[20:03.880 --> 20:16.200]  You know, we can't do this mission without them and without industry help from state and local election officials, but also the cybersecurity companies and how we can feed off each other.
[20:16.200 --> 20:22.620]  We learn from what industry is putting out and what we're providing value at and what we're putting out.
[20:22.880 --> 20:27.220]  So people can leverage that in the systems and insights they have, right?
[20:27.280 --> 20:30.840]  Industry has a lot better insights than the government does in a lot of these cases.
[20:30.840 --> 20:34.180]  So they're a critical partner in this partnership.
[20:34.980 --> 20:45.140]  And I think that taking that a step further, even the individual level collaboration, you know, not just a big corporate or a company collaboration with the federal government,
[20:45.140 --> 20:51.800]  but people who call in suspicious information because they're worried about it.
[20:51.920 --> 20:56.320]  And they call DHS, they call FBI, they call any of us.
[20:56.320 --> 21:01.920]  And they are calling because they're worried and they want to do the right thing.
[21:01.920 --> 21:11.920]  And because those people call, the majority of the information that really we're able to get to state and locals since 2016, it's been because people called us.
[21:11.920 --> 21:15.880]  They said they were concerned about something, we looked at it, and we said, you're right, and we got it out to everybody.
[21:15.880 --> 21:21.400]  So there's this element of that corporate industry responsibility and collaboration.
[21:21.400 --> 21:28.580]  There's a federal government collaboration, but there's that individual collaboration too with all of us that it really is working well together.
[21:29.560 --> 21:33.180]  Yeah, Bryson, if I can just really quick on that.
[21:33.300 --> 21:36.700]  I think Cynthia raises a really good point and it's appropriate here.
[21:36.700 --> 21:42.820]  Just the fact that there's now a guide for coordinated vulnerability disclosure for state and local election officials.
[21:42.820 --> 21:51.540]  In 2016, as a member of the election community, I can tell you that was not a known commodity or something that they were even considering.
[21:51.540 --> 21:57.800]  And now we're progressed where folks like Jack Cable, who I know was on before, have built relationships with election officials,
[21:57.800 --> 22:07.180]  to help them understand the value of vulnerability disclosure and working with independent researchers and security experts in that way.
[22:07.180 --> 22:15.020]  The fact that private industry within the elections community is rolling out vulnerability disclosure policies and engaging in that conversation,
[22:15.020 --> 22:18.060]  not something that was going on in 2016.
[22:18.060 --> 22:23.820]  And so the multiple avenues of information, the multiple avenues of collaboration are really encouraging.
[22:23.820 --> 22:25.680]  I think we have a ways to go.
[22:25.680 --> 22:29.920]  I think there's lots of room for improvement, certainly on the federal side to help coordinate on that.
[22:29.920 --> 22:36.460]  At the state and local level, increasing capacity, the ability to intake and resolve and mitigate those vulnerabilities.
[22:36.620 --> 22:41.560]  But it's a drastic improvement from where we were even four years ago,
[22:41.560 --> 22:46.520]  and really speaks to the professionalism of state and local election officials in particular,
[22:46.520 --> 22:56.400]  who care deeply about the security of this process in their systems and want to find ways to improve and talk to their voters about the steps they've taken to secure it.
[22:57.540 --> 23:02.560]  This industry and this community has really matured very quickly compared to some others.
[23:02.560 --> 23:10.760]  And I think it's part due to events like this, like DEF CON, where researchers are coming together, talking about what's going on,
[23:10.760 --> 23:21.220]  where are their vulnerabilities, what are some ways we can fix it, taking a look at other industries like telecoms, aviation, things like that, and getting those best practices out of the way kind of quickly.
[23:21.620 --> 23:25.000]  And as Matt was saying, it's because individuals care.
[23:25.000 --> 23:31.480]  And I think that's probably the biggest part of this that I want people to take away from this is that elections happen in communities.
[23:31.480 --> 23:37.760]  And I think that's really what it comes down to is everyone gets a sense of how important it is at the very local level.
[23:37.760 --> 23:43.580]  And all that builds up to build a sense of national urgency and importance about the issue.
[23:43.660 --> 23:55.100]  And to see the election officials really get on board with this idea that they are part of the defense network to make sure that we don't have interference playing
[23:55.560 --> 24:07.440]  in our elections and to see them, you know, get educated on the issues and really try to convey their own sense of confidence in their systems, because they know what goes into running an election.
[24:07.560 --> 24:13.480]  It's not all just about cybersecurity. There are administrative tasks they need to do. There are other tasks that some of them are even
[24:14.280 --> 24:19.280]  responsible for. And so, you know, they care deeply about elections. They want to make sure that everyone who votes
[24:19.280 --> 24:26.880]  has a level of confidence that they can feel when they go into the polling place or when they mail in their ballot.
[24:27.160 --> 24:34.620]  So a follow-up question to Maurice and to Matt. This follows from a question from Neil McKernan.
[24:34.920 --> 24:44.240]  And it is, we're talking to a very unique audience today, right? They are citizens of the world. They're American citizens, but they're hackers, right?
[24:44.240 --> 24:50.940]  This is the new system of the Internet that's there to figure out what works best. And here's the thing.
[24:51.340 --> 24:57.320]  They're doing it today in the voting village. They're doing it on the technology. We talked about industry involvement.
[24:57.320 --> 25:04.940]  We have individuals willing to take their time to actually dig into the technology itself to understand what works and what doesn't,
[25:04.940 --> 25:08.880]  because that gives us better trust in that technical implementation of the system.
[25:08.880 --> 25:18.920]  And so the full question here is, when would we start potentially having a prerequisite for entrance to the VVSG certification process
[25:18.920 --> 25:25.200]  that election system vendors adopt good vulnerability disclosure policies, as called out today,
[25:25.200 --> 25:28.480]  to make them widely available for penetration testing?
[25:29.160 --> 25:35.580]  I'll take that since EAC is in charge of the development and the approval of the VVSG.
[25:35.580 --> 25:43.040]  So those are guidelines that are used by states, and it directs the manufacturers to meet certain requirements
[25:43.040 --> 25:47.820]  so that they build their systems in a way that is accessible and secure and usable.
[25:48.100 --> 25:57.140]  And so I think the idea of a vulnerability disclosure policy being part of that would really just be the codification of industry best practices.
[25:57.140 --> 26:07.520]  Now, the manufacturers know that they are in competition to help bring a better level of security to these systems that are in use.
[26:07.520 --> 26:11.720]  And so I think that that's already happening. We've seen the fruits of that labor already.
[26:11.720 --> 26:17.740]  It didn't need to come from a federal agency to help the process along.
[26:18.340 --> 26:22.060]  So to answer Neil's question, it's already happening.
[26:22.060 --> 26:28.580]  And so as the industry continues to mature, I think that we'll see more and more vulnerability disclosure policies.
[26:28.580 --> 26:33.640]  And I'm hoping that you folks out there get interested in this sector and actually use them.
[26:33.640 --> 26:40.520]  Find that legal way of doing the research and then reporting it responsibly to make sure that the problems actually get fixed.
[26:40.520 --> 26:46.520]  This isn't about a big bug bounty that you're going after. This isn't about trying to embarrass anyone.
[26:46.520 --> 26:50.820]  This is about strengthening our democracy, literally through strengthening our systems.
[26:52.000 --> 26:57.080]  Yeah, Bryson, just to just add a little bit, Maurice really tackled the meat of the issue.
[26:57.080 --> 27:10.600]  But I agree. I mean, we have had several vendors, election system vendors, come through our penetration testing process, what we call our critical product evaluation process up in Idaho.
[27:10.700 --> 27:13.360]  We have seen the private sector embrace that.
[27:13.360 --> 27:20.920]  And now we're starting to see, I think, the fruits of the work of not just the voting village, but the private sector companies to understand the value.
[27:20.920 --> 27:31.400]  And frankly, the marketplace dictating that improves security steps towards coordinated vulnerability disclosure processes are going to be good for business.
[27:31.400 --> 27:35.220]  And that's why you see a reflection in progress being made.
[27:35.220 --> 27:44.520]  The private sector is hearing from customers, is responding, and I think we'll continue to see progress made on that level.
[27:44.520 --> 27:50.320]  I think one step we need to take, and I know the EAC takes this very seriously and states need to be thinking about it too,
[27:50.320 --> 27:55.280]  but to the extent it involves equipment, whether e-poll books or voting systems that they certify,
[27:55.280 --> 28:03.260]  you have to be ready to respond and adjust certification quickly, adapt to those type of processes.
[28:03.260 --> 28:17.620]  So I think we have a maturing to do sort of in the bureaucratic lane to make sure that we can support the private sector as they're changing and evolving and accepting this approach,
[28:17.620 --> 28:24.260]  that we support them in our certification processes and the way that systems need to be fielded.
[28:27.370 --> 28:35.050]  So that all ties back to that, what is the threat? China, Iran, Russia have been mentioned. How are they a threat?
[28:35.050 --> 28:38.950]  What are they doing? And are they the only threat that we need to be worried about?
[28:40.970 --> 28:45.730]  So I'll start with that one. I would say those are the main threats we're facing.
[28:45.730 --> 28:56.050]  Again, I think ransomware is like one of those wild cards out there that could be fielded by anyone, in theory, criminal actors, etc.
[28:56.050 --> 29:06.510]  So they could probably say more to that. So for Russia, I think in terms of an evolution, what we've seen, we talked about the Internet Research Agency,
[29:06.510 --> 29:09.950]  what they did in kind of social media accounts and the troll farms.
[29:10.290 --> 29:15.250]  In terms of 2020, we've seen a shift more towards the use of proxies.
[29:15.250 --> 29:21.350]  I guess I should maybe say intermediaries when we're in a technology crowd instead of saying proxies.
[29:22.210 --> 29:31.190]  So using, again, I mentioned before, laundering information through other individuals into the media space.
[29:31.190 --> 29:41.170]  The IRA, you've seen that shift tactics. They had set up something in Africa, in Ghana, in terms of trying to have people there,
[29:41.170 --> 29:53.110]  trying to put stuff online, posting things about socially divisive issues, using covert influence websites to be able to get their narrative out.
[29:53.410 --> 29:56.910]  So that's kind of a shift of tactic we've seen from the Russia side.
[29:56.910 --> 30:07.410]  China, I think scale is something that is a bit unmatched in terms of them as a threat, both from a cyber standpoint and from an influence standpoint.
[30:07.410 --> 30:13.650]  Certainly on influence, they've been very active in that region, Taiwan, Hong Kong.
[30:13.870 --> 30:20.950]  Then becoming potentially more aggressive in the U.S. space is something that we need to monitor and be prepared for.
[30:20.950 --> 30:29.230]  But in cyber, for the China cyber threat, they're a little bit different in terms of the scale and breadth of the targets they go after.
[30:29.230 --> 30:37.470]  It's like every U.S. citizen is a target of China, just because of the big data, PII that they're interested in collecting.
[30:37.650 --> 30:43.270]  Obviously, everyone's familiar with IP threat, besides just the standard intelligence-type targets.
[30:43.450 --> 30:46.410]  So I think that sets them uniquely apart.
[30:46.410 --> 30:56.210]  And Iran, just getting into the game, too, in terms of them trying to do social media influence and learning from what the other adversaries are doing.
[30:58.450 --> 31:06.250]  Yeah, so Russia, I would offer everyone you should read the report that came out from the State Department a couple of days ago.
[31:06.290 --> 31:13.370]  77 pages called the Pillars of Disinformation about the various sites operated by Russia.
[31:13.370 --> 31:28.470]  Just ask yourself, why in Russia, a country where few people read or write English, do they continue to put out a tremendous amount of English language news on these French news outlets?
[31:28.470 --> 31:32.450]  That really involved divisive issues that are U.S.-based.
[31:32.450 --> 31:39.190]  And so, again, a tremendous amount of platforms that the Russians invest in.
[31:39.190 --> 31:48.950]  CNN ran a great news exposé in April of 2020 about an organization that Dave referenced.
[31:48.950 --> 32:01.230]  So 18 Trolls in Ghana, led by a guy named Seth Wierdo, who grew up in Ghana, educated in Russia, and appears to have been on the payroll of the Purgosian network.
[32:01.230 --> 32:04.830]  So, again, it's about a seven-minute watch.
[32:05.510 --> 32:10.790]  And that can just provide you some insight into what the Russians are doing there.
[32:10.790 --> 32:30.310]  And then, you know, when we talk about private industry, you know, whether it's Facebook, Google, Microsoft, you know, there are dozens of articles about how these technology companies have identified this malicious behavior on their platforms that they're able to link back to the nation-state adversaries, Russia, China, and Iran.
[32:30.310 --> 32:34.970]  So, you know, I would tell everybody that there's a ton of stuff out there.
[32:34.970 --> 32:40.410]  You know, I know when we talk to CyberComm and NSA, we want to focus on that classified cyber box.
[32:40.410 --> 32:47.450]  But I'll tell you, there is a tremendous amount of great information already out there on the Internet that can provide you a lot of insight.
[32:48.150 --> 32:59.750]  You know, as Cynthia talked about, you know, we, you know, the U.S. government, you know, for you experts that are out there, you know, if you see suspicious activity, tell DHS.
[32:59.750 --> 33:03.750]  Tell the FBI. You know, we, the government, will do something about it.
[33:03.830 --> 33:07.350]  You know, if it's a domestic threat, those organizations will address it.
[33:07.350 --> 33:11.890]  If it's a foreign threat, they'll tell us. And I don't mean they'll tell us like six months from now.
[33:11.890 --> 33:15.710]  They'll tell us that day. They'll tell us early the next morning.
[33:16.010 --> 33:21.070]  You know, we had an incident the other night that, you know, occurred at 1.42 in the morning.
[33:21.230 --> 33:24.950]  And, you know, about 6 o'clock in the morning, we had cyber teams looking at the activity.
[33:24.950 --> 33:33.850]  So, again, for you experts out there, you know, you know better than anybody else if something weird is going on on the Internet.
[33:33.910 --> 33:38.050]  And I would just ask you to share that and we, the government, will take action.
[33:38.150 --> 33:49.450]  And I'd say, too, just from a cyber aspect, because I know we're talking to a lot of the hacker community, you know, leveraging trust relationships, you know, it's a common technique.
[33:49.450 --> 33:55.750]  Right. So, you know, some of these networks that they might be interested in are very well defended, just like the DoD.
[33:55.750 --> 33:59.570]  Right. But, you know, companies sometimes outsource their marketing departments.
[33:59.570 --> 34:06.350]  There's other other soft targets out there, think tanks, that could be lucrative even from an Intel perspective.
[34:06.350 --> 34:12.090]  You know, think tanks do policy work for politicians. They have contacts with elected officials.
[34:12.110 --> 34:14.810]  So, you know, sometimes going outside the bullseye.
[34:15.370 --> 34:24.170]  And again, a lot of this is common techniques, exploiting publicly known CVEs, you know, password spraying, spear phishing, you name it.
[34:24.310 --> 34:28.690]  You know, they're using Shodan, they're using Burp Suite, they're using those tools.
[34:28.690 --> 34:37.770]  They can get access to a network that maybe isn't inside the bullseye, leverage that, leverage an account, leverage a network connection to get into the target they're going after.
[34:37.770 --> 34:45.710]  And that's an important point. And that type of targeting hasn't really stopped from 2016 on.
[34:45.730 --> 34:53.890]  So spear phishing or looking for those networks that might be connected to the targets that they more desire.
[34:54.210 --> 34:59.050]  That's been continuing the pace. And I mean, we're tracking a lot of incidents even right now.
[34:59.330 --> 35:06.030]  And the good news with all those incidents is we haven't really seen any widespread impacts from those.
[35:06.030 --> 35:13.330]  But it's interesting because tracking a lot of incidents can feel scary.
[35:13.330 --> 35:21.890]  But it also gives me a lot of... it makes me feel better almost because I know that we're detecting every tremor.
[35:22.070 --> 35:27.870]  And that means we have a lot of false positives that we follow up on.
[35:28.170 --> 35:31.710]  I'd much rather that than not knowing things are out there.
[35:31.710 --> 35:34.290]  But it also means we have a fuller picture.
[35:34.290 --> 35:41.470]  And part of that fuller picture, as Dave mentioned, is on cyber criminals and not just ransomware.
[35:42.270 --> 35:48.010]  Other types of incidents as well and actors as well.
[35:48.010 --> 35:54.590]  And we really have to be on guard, not just if it's coming from Russia or China or Iran or a host of other groups,
[35:54.590 --> 35:59.170]  but a threat to an election network or a campaign network is a threat.
[35:59.170 --> 36:04.310]  And we need to be able to be really flexible in addressing that.
[36:04.310 --> 36:13.410]  And getting in front of that head on so that we can't make sure that come election day we're not dealing with a lot of pop-up threats
[36:13.410 --> 36:17.450]  and we're spending a lot of time trying to figure out really what happened.
[36:17.490 --> 36:23.510]  Yeah, I think that the nexus of cyber and the cyber threats and influence threats is a dangerous space.
[36:23.510 --> 36:32.150]  We know about Hackenleak and how that could impact potentially the voter populace and their opinions.
[36:32.590 --> 36:44.570]  But we were just talking before this panel, I think, in terms of using influence to make people distrust either the electoral outcomes.
[36:44.570 --> 36:51.610]  So you could have a ransomware incident in a local network that actually doesn't even impact.
[36:51.610 --> 36:56.050]  The elections counting or any of that.
[36:56.050 --> 37:04.810]  But someone could then spin an influence campaign when that gets reported to make people think it has had an impact and then not trust the results.
[37:04.810 --> 37:08.370]  Right. So that's one of those things that I think is worrisome.
[37:08.370 --> 37:16.630]  Even if a cyber attack doesn't actually have a measurable impact in terms of the conduct of the election or voting tallies.
[37:17.570 --> 37:23.650]  But, you know, if someone's able to take that and then try to spin off an information operations campaign from it.
[37:26.010 --> 37:33.930]  That point, I'd just like to drive home is that it's not just about, you know, what actually happened, where votes actually change.
[37:33.930 --> 37:37.570]  That's incredibly difficult to do at scale in a way that's undetectable.
[37:38.310 --> 37:45.690]  But if you can put that message out there that causes people to question and their local election official picks up that phone call and they don't have a good response for it.
[37:45.690 --> 37:47.410]  That can be just as damaging.
[37:47.450 --> 37:54.650]  So that's why at EAC we feel so strongly about making sure that local election officials have the tools, have the training that they need.
[37:54.650 --> 38:02.390]  So we partner with the Center for Tech and Civic Life to actually provide that basic intermediate level of cybersecurity training.
[38:02.390 --> 38:05.810]  So that they understand, you know, why is it important to have two-factor authentication?
[38:05.810 --> 38:10.430]  You know, what does it mean to actually have a password manager so you're not reusing your passwords?
[38:10.430 --> 38:17.210]  These are all basics that most folks that are watching us right now are thinking, how can anybody not know how to do that?
[38:17.210 --> 38:23.710]  But if you've never been taught that or if you don't have an understanding of the impact of that, then it might be too much work.
[38:23.770 --> 38:29.290]  But once you understand how much bad stuff that can actually prevent you recognize, it's actually not that difficult.
[38:29.290 --> 38:32.750]  It's actually pretty easy to use it if you are familiar with the tools.
[38:32.970 --> 38:36.170]  And then it gives you the confidence to stand up and say, you know what?
[38:36.190 --> 38:39.010]  Yeah, we heard about the ransomware or maybe we got hit with some ransomware.
[38:39.370 --> 38:44.090]  You know, the town down the street, but we're ready. These are the things that we're doing.
[38:44.090 --> 38:45.550]  We're also doing some other things we're not going to talk about.
[38:45.550 --> 38:52.090]  But here are some of the big things, the high-level things that we're doing to be prepared so that if we do get a phishing email, we know how to spot it.
[38:52.090 --> 38:57.510]  We know how to stop it. We can recover, you know, from those backups if we actually do get hit with it.
[38:57.590 --> 39:07.170]  And so I think that's why it's so important that the local election officials have a level of confidence that they can then reflect back on to their voters when it comes to elections.
[39:07.950 --> 39:12.370]  Yeah, just real quick on that. Maurice raises some really good points.
[39:12.370 --> 39:25.350]  And it's why we spent a lot of time at CISA on something we call the Last Mile Project, which is literally a poster project offering both risk assessment and then mitigation advice to the local level,
[39:25.350 --> 39:31.930]  almost 6,000 local jurisdictions specific to their state and their jurisdiction so that they can not only take the steps,
[39:31.930 --> 39:41.310]  whether it's multi-factor authentication or penetration testing or phishing campaign resilience or creating incident response plans, which we really focused on,
[39:41.310 --> 39:45.530]  but then can go and talk to their voters. And we've seen some cool approaches to this.
[39:45.530 --> 39:53.530]  We saw one state, the state of Iowa, take their posters out to the state fair so that they could talk to their voters directly about steps that they were taking.
[39:53.530 --> 40:01.910]  We saw the state of Rhode Island work with their libraries to put it up in the library system so that they could talk to voters through the libraries about this.
[40:01.910 --> 40:11.130]  And in the end, and I think Dave raises a really important point, there's resilience to cyber intrusion, resilience, and the ability to recover from incidents.
[40:11.130 --> 40:16.510]  But then there's the resilience that we need to install in talking to the American voter.
[40:16.510 --> 40:23.090]  We need voters that are prepared, that understand their registry. Am I registered? What's on my ballot?
[40:23.090 --> 40:29.230]  What are my voting options, particularly amongst COVID, so that they can have confidence on how they're going to engage the process?
[40:29.230 --> 40:38.290]  We need a voter that is patient, that understands that perhaps election night results won't be as complete as what we're used to in a given jurisdiction,
[40:38.290 --> 40:43.850]  and that the accuracy of the vote count is the most important thing, regardless of the time it takes.
[40:43.890 --> 40:47.070]  And then we need a voter that participates, that engages.
[40:47.070 --> 41:01.770]  We need, you know, 250,000 or more poll workers across this country in preparation for November in the midst of COVID when we have poll workers that, you know, are going to be unwilling to work, either because their age or high-risk nature.
[41:02.130 --> 41:10.790]  And so having people engaged and participating, the reality for those folks that are listening, no one told me anyone would be listening to this, so now I'm a little worried.
[41:10.790 --> 41:15.970]  But anyone that is listening, go sign up to be a poll worker if you want to understand the process.
[41:15.970 --> 41:19.070]  Matt Blaze hits this every time, and he's exactly right.
[41:19.070 --> 41:25.970]  If you have questions, if you have concerns, if you want to help secure the process, start off by being an election worker.
[41:25.970 --> 41:28.650]  You're not going to get turned down. We need you.
[41:28.810 --> 41:35.770]  And it's the best way to learn where the resiliency exists in the process, where improvements can be made in order to get involved.
[41:35.770 --> 41:41.830]  If you can't be a poll worker, if you can't take on that risk, there are opportunities to watch pre-election testing of systems.
[41:41.830 --> 41:47.150]  We run elections at the local level so you can participate directly with those who run the process.
[41:47.150 --> 41:54.170]  So go get your questions answered. Go engage with them and see what kind of support they're in need of, in particular serving as an election worker.
[41:54.170 --> 41:59.010]  It really is the best path to doing this and the best way to learn the process.
[41:59.010 --> 42:03.950]  But if we can have voters, voters are our last line of resilience, as Director Krebs says.
[42:03.950 --> 42:11.690]  They're the ones that can really ensure a responsive, resilient process when attempts to undermine confidence are there.
[42:12.770 --> 42:18.870]  There is no such thing as a secure system, right? We never hit the plateau where it's like, oh, we're good.
[42:18.870 --> 42:22.110]  We can all pack up, go home and take the next year off.
[42:22.110 --> 42:29.330]  So quick question from a lot of interested citizens who want to get involved.
[42:29.330 --> 42:34.050]  Ties to the fact around, OK, so you talk about detection being a key part of that secure system.
[42:34.430 --> 42:37.590]  Where exactly are they supposed to go to figure out where to say something?
[42:39.010 --> 42:41.810]  Well, you can go to your local FBI field office.
[42:42.590 --> 42:52.230]  You can go on to FBI.gov and find out contacts or contact our FBI CyWatch directly.
[42:52.570 --> 43:00.070]  And you can go to multiple other agencies as well, because what we've really said is a call to one is a call to all.
[43:00.070 --> 43:08.110]  And that's how we are ensuring that there's that kind of information sharing across the board here.
[43:11.450 --> 43:15.070]  I was just going to say, Cynthia is exactly right.
[43:16.010 --> 43:23.350]  First of all, if you know something within your community, engaging directly with the local election officials is really critical to help understand.
[43:23.350 --> 43:27.310]  Did you actually find something or is this something they're aware of?
[43:27.310 --> 43:32.350]  Otherwise, the second part is engaging with your state officials.
[43:32.350 --> 43:37.410]  They're prepared to take it on. They're the ones that know the process, know their systems, can talk to the vendors.
[43:37.410 --> 43:42.170]  And then the ISAC exists for exactly this reason as well.
[43:42.230 --> 43:50.730]  There's an avenue, and it happens fairly commonly, that if you report to the Election Infrastructure Information Sharing Analysis Center or directly into CISA,
[43:50.730 --> 44:01.430]  we now have the points of contact that we didn't have in 2016 to be able to get valuable information to state and local election officials so that they can take action on something that's identified.
[44:01.430 --> 44:09.290]  There are avenues. Again, the state and local officials know their systems. They're the best prepared to mitigate a problem.
[44:09.290 --> 44:16.510]  But if you're not finding success that route, the ISAC, CISA, FBI field office are available to help you get there.
[44:16.670 --> 44:23.670]  And understandably, some folks may not want to go to the federal government, which is why the ISAC really offers a nice safe place to begin that reporting.
[44:23.830 --> 44:28.690]  I'll offer up EAC as well. You can send an email to security at EAC.gov.
[44:28.690 --> 44:36.210]  Obviously, we have connections with all the manufacturers. If you're having trouble with a particular manufacturer or having trouble with a particular agency or your local official,
[44:36.210 --> 44:40.310]  or just not getting the response you want, we're happy to help facilitate that conversation.
[44:41.190 --> 44:49.350]  And just from a cyber count standpoint, one of the big changes for us is, you know, we historically had been focused, you know, working inside SCIFs.
[44:49.350 --> 44:55.970]  And one of the things that we've really done in support of 2020 is, you know, we have organizations now that live outside SCIFs.
[44:55.970 --> 45:03.410]  They're on NIPRNet or unclassified internet. You know, they're in Slack channels. They're talking to FBI. They're talking to DHS.
[45:03.410 --> 45:13.230]  They're talking to private industry partners. And they're, you know, they're living in that same ecosystem that many of the folks that are listening to this presentation are.
[45:13.230 --> 45:25.270]  And so we have really tried to adapt some of our behavior so we're able to, you know, in real time collaborate with our partners across government, you know, on a little different time schedule than would be a traditional military one.
[45:25.270 --> 45:29.950]  Because I know most of you are probably not up at 530 in the morning doing just the same.
[45:31.530 --> 45:41.490]  So Bill Evanina, the director of the National Counterintelligence Security Center, just recently put out an official statement today talking about the very threat that we're covering here.
[45:41.750 --> 45:48.770]  But all of the threats were basically laid out in an equal manner. Would you say the threats are equal? Which one would you say is the biggest and why?
[45:50.210 --> 46:04.170]  Well, I don't think we need to take any of the threats lightly, right? I think the statement in terms of what you saw out there, it lays out how each adversary is approaching the problem.
[46:04.170 --> 46:16.890]  Certainly, you know, Russia, China, Iran, they all have intent and they all do activities that they think are advancing their best interests here.
[46:16.890 --> 46:36.570]  So, you know, I don't think I would say like one is scarier than the other, per se. Certainly, some of these adversaries are a bit more experienced at this in terms of the amount of time they've been working, you know, doing operations.
[46:36.570 --> 46:54.110]  But, you know, from our perspective, you know, I care about all those threats. I take them all seriously because, you know, again, some of the stuff is very cheap to get into and to execute. So, you know, I wouldn't do a value judgment on those.
[46:54.690 --> 47:08.970]  I totally agree more on that. And I think that it's really important to remember that our threat picture is always informed by what we collect, what we know. And, you know, we don't have perfect pictures.
[47:08.970 --> 47:28.810]  And how we really have to approach all of this is what could be the effect from these various groups? What could happen closer to September, October? Because, you know, it still is a few months away. And we need to be prepared for a lot of different things happening within that.
[47:28.810 --> 47:46.270]  You know, I'm going to flip stop again. You know, it doesn't just have to be the big three. It can be other non-state actors or criminal groups and the like that are going to undermine people's confidence in our system.
[47:46.270 --> 47:58.470]  And really, if you ask me what the biggest threat is, it's these constant drumbeat or influence campaigns that are going to make people feel like they're less confident in our system.
[47:58.470 --> 48:03.990]  And that could be people who vote less. And that's really where, you know, I stand tonight.
[48:05.430 --> 48:14.830]  Hey, Bryson, just real quick. Everyone in the Fed room actually has to take a drink because the Fed said foot stomp. So that's actually one sip for everyone in the Fed room.
[48:16.690 --> 48:17.470]  Thanks.
[48:19.230 --> 48:24.650]  Matt, I can't help but feel like you're cheating the system a little bit because you don't have a drink.
[48:24.650 --> 48:28.630]  I've been drinking this whole panel. Don't worry. I'm good.
[48:31.470 --> 48:33.630]  Hey, put up or shut up. Show us your drink.
[48:34.770 --> 48:36.950]  It's in a water bottle, but it's vodka.
[48:38.950 --> 48:46.990]  So we're coming close to our end of time. So I want to ask a final sort of grab bag questions to each of you.
[48:47.650 --> 48:49.830]  And you have about a minute to respond.
[48:50.530 --> 48:57.510]  So you get a non-internet connected wand, magic wand that you can wave.
[48:57.510 --> 49:00.410]  Is that the magic wand?
[49:00.750 --> 49:03.490]  Yes, that is how it is. Wireless, but wired.
[49:04.530 --> 49:09.410]  And with this magic wand, you can have one thing happen for your agency instantaneously.
[49:10.290 --> 49:15.450]  This isn't reality, right? This isn't, oh, if only I could get that $20 million to fund that.
[49:15.450 --> 49:18.530]  This is, what do you wish from a process perspective?
[49:19.910 --> 49:27.990]  So 2020 is almost written. The mail-in ballots start in a month. People start voting. Those start happening.
[49:28.250 --> 49:36.370]  2024 is our next big one. What is one good thing and one thing we really need to worry about in the future in 2024?
[49:37.750 --> 49:41.550]  See, I feel like I'm the shortstop being right next to you.
[49:42.210 --> 49:43.830]  I like you the most.
[49:43.830 --> 49:45.050]  Okay.
[49:47.870 --> 50:08.750]  So thinking about what I really wish we had more of is I wish we had more people right now with the cyber skillset that we could hire quickly and get them on.
[50:08.750 --> 50:16.550]  So that we could just expand our scope and scale and speed in which we're addressing threats.
[50:16.770 --> 50:21.570]  And I think that that goes towards, you know, we're putting in so much of what we have against the election.
[50:21.570 --> 50:23.850]  And I feel really good about where we're at on it.
[50:23.850 --> 50:26.910]  But what does that take away from some of the other work?
[50:27.190 --> 50:28.910]  And that, you know, that worries me.
[50:28.910 --> 50:36.890]  And I'd like us to know that we have the people coming to us that want to do the right thing.
[50:36.950 --> 50:45.110]  That want to protect America and have those skills necessary to be able to help us in that.
[50:45.110 --> 50:47.670]  As it looks towards 2024, what do I want to keep?
[50:48.490 --> 50:53.180]  So I hope we keep the collaboration and the focus alive.
[50:53.180 --> 50:57.340]  In my opening remarks, I gave a real quick overview of what the FBI does.
[50:57.440 --> 51:03.660]  Part of it is focused on cyber investigations, looking at influence.
[51:03.660 --> 51:06.820]  We developed the Foreign Influence Task Force.
[51:07.260 --> 51:14.200]  And that effort, I think, has really helped us focus on it's not just a cyber issue.
[51:14.200 --> 51:15.960]  It's not just a criminal issue.
[51:15.960 --> 51:17.300]  It's not just an influence issue.
[51:17.300 --> 51:19.400]  It's seeing how it all works together.
[51:19.420 --> 51:23.620]  Internal, getting the China people to talk to the Russian people to talk to the cyber crime people.
[51:23.620 --> 51:26.620]  And looking at it as one threat.
[51:27.600 --> 51:33.100]  That's new within the federal government to really consider it in that space.
[51:33.100 --> 51:36.180]  And I want to keep that moving forward.
[51:36.180 --> 51:40.300]  I think that, yeah, that's...
[51:40.920 --> 51:41.680]  Did I get all your questions?
[51:41.680 --> 51:45.060]  You asked a spectrum of a few of them here.
[51:46.260 --> 51:47.360]  But yeah.
[51:47.360 --> 51:52.800]  And I hope we all stay in touch after we put this in our rear view mirror.
[51:53.540 --> 51:56.640]  If you don't stay in touch, then the next panel is going to be more awkward.
[51:58.740 --> 52:03.040]  I think the one answer is pretty easy for me.
[52:03.180 --> 52:08.120]  Perfect insight into adversary intents and operations is obviously a great thing to have.
[52:08.960 --> 52:11.080]  Dave, you're not supposed to say that you don't have that.
[52:14.380 --> 52:18.540]  So, I mean, that's just going to inform our activities moving forward.
[52:19.380 --> 52:21.580]  Hitting a little bit on Cynthia's point.
[52:21.580 --> 52:25.540]  And going back a bit to a comment I made before in terms of working counterterrorism.
[52:25.540 --> 52:28.020]  A lot of times you're fighting the last war, right?
[52:28.240 --> 52:31.720]  Someone tries to blow up a plane with printer cartridges.
[52:31.840 --> 52:34.420]  The government swarms to figure out how to stop that.
[52:34.420 --> 52:36.000]  But then the adversary moves on.
[52:36.000 --> 52:41.580]  The same thing here. We've seen adversaries evolve.
[52:41.580 --> 52:44.420]  We've seen new adversaries come in.
[52:44.920 --> 52:49.040]  So there's always worry about what you don't know.
[52:49.040 --> 52:55.080]  But what I'm confident in is that we are positioned, a lot better positioned now, for agility.
[52:55.080 --> 53:00.700]  In terms of responding to these threats because of the systems we've set up, the partnerships we have.
[53:00.700 --> 53:05.220]  That is certainly something for 2024 we need to keep building on.
[53:05.220 --> 53:08.660]  And not losing sight of it when new problems come up.
[53:08.760 --> 53:10.840]  Not making sure this remains a focus.
[53:10.840 --> 53:14.480]  I think the DEFCON voting village is very important to keep this running.
[53:14.480 --> 53:15.840]  We need people's help.
[53:16.300 --> 53:19.380]  From NSA specifically, we have a much...
[53:19.380 --> 53:23.580]  We're investing a lot more in the White Hat brand.
[53:24.820 --> 53:27.620]  NSA cyber Twitter account, please go follow it.
[53:27.620 --> 53:29.820]  You're going to see more good stuff coming out of that.
[53:30.680 --> 53:34.820]  But continuing to build upon that is going to be a critical thing we're going to invest in.
[53:34.820 --> 53:40.500]  Moving forward, I can't tell you how excited some of the people were in our building.
[53:40.500 --> 53:44.540]  Like late May, the cybersecurity advisory on the GRU.
[53:44.540 --> 53:46.880]  On the mail vulnerability.
[53:47.120 --> 53:51.480]  Seeing at least five different cybersecurity companies take that information.
[53:51.480 --> 53:54.700]  Pivot on the indicators in their own data sets.
[53:54.700 --> 53:58.260]  Figuring out new things that we didn't even know about.
[53:58.300 --> 54:02.620]  To uncover more of an adversary operation.
[54:02.620 --> 54:05.420]  That got people excited in the building.
[54:05.800 --> 54:08.860]  And that's something we do want to do more of.
[54:08.860 --> 54:11.080]  And again, just hitting on that critical partnership.
[54:11.080 --> 54:14.780]  And that dynamic of us using each other's information.
[54:14.780 --> 54:17.620]  And building the security of the enterprise.
[54:17.620 --> 54:19.880]  Raising all those. It sounds kind of Pollyanna-ish.
[54:19.880 --> 54:22.040]  But I think it's really important.
[54:23.840 --> 54:27.640]  Hey, Bryce. If I could wave a magic wand, I would wave it.
[54:27.640 --> 54:30.140]  And we would get COVID-19 under control.
[54:30.860 --> 54:33.460]  I just got to tell you, there's great collaboration.
[54:33.460 --> 54:35.320]  But we could do so much more.
[54:35.640 --> 54:38.560]  We could do so much more with our partners here.
[54:38.600 --> 54:40.820]  We could do so much more overseas.
[54:41.300 --> 54:43.760]  If we could get the pandemic under control.
[54:43.760 --> 54:46.200]  So please wear your mask and help us do that.
[54:46.200 --> 54:49.780]  The second piece, where do we see this in 2024?
[54:50.100 --> 54:52.980]  You do get asked questions, but I get to answer the question a lot.
[54:53.220 --> 54:55.820]  I would rather focus on 2020.
[54:55.820 --> 54:58.640]  2020 is not a foregone conclusion.
[54:58.640 --> 55:01.960]  We can have a safe, secure, and credible election.
[55:01.980 --> 55:05.140]  As an American people, we need to mobilize.
[55:05.480 --> 55:07.920]  There are thousands of smart people.
[55:08.320 --> 55:12.900]  Extraordinarily technically capable that are watching this session right now.
[55:12.900 --> 55:15.940]  Please go work at polling stations.
[55:15.940 --> 55:19.760]  Please talk to DHS. Please talk to the FBI.
[55:20.080 --> 55:22.540]  Again, we are all in.
[55:22.540 --> 55:24.840]  We have thousands of people that are going to work every day
[55:24.840 --> 55:28.420]  in order to support a safe, secure, and credible election.
[55:28.600 --> 55:31.000]  And I would just ask for everybody's help.
[55:32.240 --> 55:35.060]  I like your magic wand answer. I really appreciate that.
[55:35.060 --> 55:38.060]  It gives a greater sense of where we all are in the world today.
[55:38.220 --> 55:40.780]  If I could wave my magic wand on EAC,
[55:40.780 --> 55:43.020]  I would say that we would be doing better
[55:43.540 --> 55:47.620]  to get the VBSG more flexible
[55:48.280 --> 55:49.980]  and faster responding.
[55:49.980 --> 55:53.340]  So this idea that if we can get you researchers interested
[55:53.340 --> 55:57.220]  in election infrastructure and discover those vulnerabilities,
[55:57.220 --> 55:59.740]  report them responsibly, and then we can get the manufacturers
[55:59.740 --> 56:01.860]  to patch and get those out in the field
[56:02.300 --> 56:03.860]  in a much faster turnaround,
[56:03.860 --> 56:06.920]  I think we'd be in a much better position.
[56:06.920 --> 56:10.980]  We're working toward that. It's still a process that takes some time,
[56:10.980 --> 56:13.080]  but I think we can get there by 2024.
[56:13.560 --> 56:16.480]  And just to recognize that federal elections are every two years,
[56:16.480 --> 56:19.520]  but locals are running elections every few weeks.
[56:19.560 --> 56:22.060]  And so there's a bigger stake at play,
[56:22.060 --> 56:24.480]  because every election that's run is a chance to show
[56:24.480 --> 56:27.460]  that we can do democracy right. We're going to keep doing it.
[56:27.460 --> 56:29.880]  And it's done very well most of the time.
[56:29.880 --> 56:31.640]  It's just those few times where there's those hiccups
[56:32.460 --> 56:35.440]  that we have some trouble and it starts to erode that confidence.
[56:35.440 --> 56:38.580]  So the better we can get at getting those patches,
[56:38.580 --> 56:40.340]  the much better off the whole system will run.
[56:42.040 --> 56:44.600]  Yeah, so the magic wand,
[56:44.600 --> 56:47.980]  I got two answers, I think, and I had the advantage of time,
[56:47.980 --> 56:51.100]  which is useful. The first is,
[56:51.100 --> 56:57.120]  if there is a way for CISA to push out service agreements
[56:57.120 --> 57:00.920]  or whatever the case may be to upgrade election systems,
[57:00.920 --> 57:04.400]  not just voting systems, where most of the focus goes,
[57:04.400 --> 57:06.600]  but election systems, including workstations,
[57:06.600 --> 57:09.760]  off of outdated and unsupported software,
[57:09.760 --> 57:12.520]  I absolutely want to do that.
[57:12.660 --> 57:15.240]  It's not just Windows 7. We're talking older.
[57:16.040 --> 57:19.100]  It's not that the local election officials or state officials
[57:19.100 --> 57:22.280]  don't want to upgrade. It's that they lack either the
[57:22.280 --> 57:25.500]  IT support or resources, and I'd love to be able to give that to them.
[57:25.500 --> 57:28.000]  The second is getting to 100% auditability
[57:28.840 --> 57:31.260]  across the nation and having efficient,
[57:31.260 --> 57:34.420]  effective audits for 2020. We're going to be
[57:34.420 --> 57:36.820]  upwards of 92 plus percent of
[57:36.820 --> 57:40.540]  auditable records, but we need good, efficient, effective audits
[57:40.540 --> 57:43.220]  that are transparent. I mean,
[57:43.220 --> 57:46.360]  Neil McBurnett asked a question earlier. He's making it his mission in life
[57:46.360 --> 57:48.800]  to get to this, and I so appreciate it.
[57:48.800 --> 57:52.600]  If we can provide that public, that transparent auditing process,
[57:52.600 --> 57:54.700]  efficient and effective, I think
[57:54.700 --> 57:58.320]  it would be a real success. Looking forward,
[57:58.320 --> 58:00.920]  there's something in elections called the election wall, where you
[58:00.920 --> 58:03.980]  literally lack the ability to look past the next election.
[58:03.980 --> 58:07.700]  You don't even know what life looks like beyond that,
[58:07.700 --> 58:09.620]  but if I had to really
[58:11.300 --> 58:13.100]  push myself through that,
[58:13.100 --> 58:16.420]  it would be increasing the amount of support resources
[58:16.420 --> 58:19.420]  and I don't just mean money, to state and local
[58:19.420 --> 58:22.380]  officials to help them meaningfully manage the risk to their
[58:22.380 --> 58:25.440]  systems and really take some of the innovative
[58:25.440 --> 58:28.460]  steps that they want to take that they're unable
[58:28.460 --> 58:31.700]  to, either because of a lack of IT support
[58:31.700 --> 58:34.380]  or resourcing that otherwise would allow them to
[58:34.380 --> 58:37.700]  serve voters. And then finally, I know I'm cheating,
[58:38.220 --> 58:40.620]  but a more resilient American public,
[58:40.800 --> 58:43.600]  a deeper understanding of how elections work, a deeper
[58:43.600 --> 58:46.820]  understanding of what their options are, how ballots
[58:48.000 --> 58:49.840]  reach them, or how they can
[58:49.840 --> 58:52.480]  interact with the process, and then how
[58:52.480 --> 58:55.880]  we reach our final certified elections.
[58:55.880 --> 58:58.700]  Again, that prepared, patient, and participating
[58:58.700 --> 59:00.940]  voter is everything as we look at 2020.
[59:02.300 --> 59:05.460]  I feel the same way, Matt, as a village
[59:05.460 --> 59:08.160]  organizer for DEF CON that I can't look past this weekend.
[59:09.020 --> 59:11.380]  So, thank you to all of the
[59:11.380 --> 59:14.860]  panelists for sharing what your organization is doing.
[59:15.000 --> 59:16.180]  I have to say it is
[59:16.820 --> 59:20.160]  making me feel a lot better, understanding the level of collaboration,
[59:20.160 --> 59:23.160]  the transparency on the fallibility and the improvement,
[59:23.160 --> 59:26.140]  and very much looking forward to what we can do. We are all
[59:26.140 --> 59:29.520]  citizens and our voices should be heard. Thank you.
[59:29.520 --> 59:30.920]  Thank you.
